[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157544#comment-16157544
]
Aki Tanaka edited comment on YARN-2554 at 9/7/17 9:35 PM:
----------------------------------------------------------
I want to raise the issue again since the issue affects other application which
runs on YARN. Actually, I see this problem when we run Spark job on Yarn.
Spark launches Spark context web UI with custom SSL certificate when we enable
SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In this
case, Yarn web proxy cannot connect the Spark context web UI since the web
proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed" error is
returned).
We should add an option to set SSL trust store to Yarn RM web proxy. I added
the updated patch, and this patch lets web proxy use an SSL custom trust-store
if it is configured in ssl-client.xml
Pull Request: https://github.com/apache/hadoop/pull/271
was (Author: tanakahda):
I want to raise the issue again since the issue affects other application which
runs on YARN. Actually, I see this problem when we run Spark job on Yarn.
Spark launches Spark context web UI with custom SSL certificate when we enable
SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In this
case, Yarn web proxy cannot connect the Spark context web UI since the web
proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed" error is
returned).
We should add an option to set SSL trust store to Yarn RM web proxy. I added
the updated patch, and this patch lets web proxy use an SSL custom trust-store
if it is configured in ssl-client.xml
Pull Request: https://github.com/apache/hadoop/pull/270
> Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
> -----------------------------------------------------------------------------
>
> Key: YARN-2554
> URL: https://issues.apache.org/jira/browse/YARN-2554
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
> Affects Versions: 2.6.0
> Reporter: Jonathan Maron
> Labels: BB2015-05-TBR
> Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
> YARN-2554.3.patch
>
>
> If the HTTP policy to enable HTTPS is specified, the RM and AM are
> initialized with SSL listeners. The RM has a web app proxy servlet that acts
> as a proxy for incoming AM requests. In order to forward the requests to the
> AM the proxy servlet makes use of HttpClient. However, the HttpClient
> utilized is not initialized correctly with the necessary certs to allow for
> successful one way SSL invocations to the other nodes in the cluster (it is
> not configured to access/load the client truststore specified in
> ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
> utilized to create an instance that can be assigned to the HttpClient.
> The symptoms of this issue are:
> AM: Displays "unknown_certificate" exception
> RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
